Ways of protecting data

Global Publication February 2021

Intellectual property

There is a patchwork of intellectual property rights and contract rights that may apply to data. Understanding the way in which these rights come into play enables a business to understand how its data assets can be protected, as well as to understand which data that are available publicly can be re-used.

Patent rights

Patent law is largely uniform across the world. Patent rights:

  • Are monopoly rights and need to be applied for in respect of specific territories.
  • Can be asserted to prevent unauthorized parties from using the ideas claimed in the patent.
  • Are capable of protecting new and inventive ideas which have a technical effect capable of industrial application.

Data or a dataset per se are unlikely to bring about any specific technical effect, but ideas relating to data / a dataset, such as a new form of data structure, could be protected, provided that the new feature is inventive and brings about a technical effect.


In many jurisdictions copyright is an unregistered right. In Europe it does not need to be applied for or registered, while in the US, for example, registration is recommended. Copyright gives the right-holder the right to prevent copying and other acts (such as distribution and publication) by unauthorized parties.

The scope of subject-matter in which copyright can subsist is very wide, and is not confined to literary and artistic works, computer software, and graphical works.

It can potentially extend to any expression of the author's own intellectual creation, usually if fixed in a medium of some kind. In the EU a recent case confirmed that an author’s intellectual creation means the personality of its author, as an expression of the author’s free and creative choices.1

Copyright may subsist in the contents of databases in some jurisdictions

  • Europe: If a database constitutes mere information (e.g. measurement of something) then it is unlikely to attract copyright because it is a reflection of a fact, with no room for creative freedom. Copyright protection is available to databases if the selection or arrangement of their contents constitutes the author's own intellectual creation (meaning the personality of its author, as an expression of the author’s free and creative choices). That condition is not satisfied if the selection or arrangement were dictated by technical considerations, rules, or constraints which leave no room for creative freedom. It follows that it may be difficult to claim copyright in machine-generated data by IoT, blockchains / distributed ledger technology or AI. Such right will also be difficult to establish if the arrangement of the data is obvious or trite (for example, a database comprised of price, quantity, product, and purchaser columns).
  • United Kingdom: The Copyright, Designs and Patents Act 1988 (CDPA 1988) provides for works that are “computer generated,” defining them as one “generated by computer in circumstances such that there is no human author of the work." For such works, the author is taken to be the person “by whom the arrangements necessary for the creation of the work are undertaken” (Section 9(3), CDPA 1988). Such a provision is potentially applicable to machine-generated data created by, for example, AI. (It remains a point of contention whether the provisions are compatible with EU case law, which requires human input, or “intellectual creation.” That may not matter for works created after the end of the UK’s EU membership “transition period” now that the UK has left the EU.)
  • United States: The US Copyright Office has stated that “the data, facts, or other uncopyrightable material that appears in a compilation is not protected by the copyright in that work.2 Likewise, a registration for a compilation does not cover any previously published material, previously registered material, public domain material, or third party material that appears in the compilation.”3
  • Canada: The Canadian Copyright Act provides that work resulting from the selection or arrangement of data is subject to copyright protection when other criteria such as originality of the work are met. Originality requires a work to be made through the exercise of “human skill and judgment,” which may present a significant obstacle to establishing copyright in databases. However, in a 2017 decision, a court found that the selection or arrangement of certain seismic data met the requirement of originality, despite the fact that computers were used to heavily automate collecting and processing of the data.
  • China: An author under the PRC Copyright Law can only refer to a natural person or a legal entity. It can be difficult to confirm who the copyright holder is for machine-generated data in China.
  • Singapore: The Copyright Act (Cap. 63) of Singapore protects literary works including a compilation in any form. For a work such as a database to be protected by copyright in Singapore, it has to be original and expressed in a tangible form, such as in a recording or in writing. Originality means that there must be a minimum level of creativity in the creation of the work; a database which merely consists of the listing of content, without more, is unlikely to be protected under the Copyright Act.
  • Australia: The Copyright Act 1968 (Cth) is capable of protecting a database; a “literary work” is defined as including “a table, or compilation, expressed in words, figures or symbols and a computer program or compilation of computer programs.” However, the Act does not readily protect individual items of information within the database itself, and does not protect a database at all if the database was created by automated processes (e.g. electronically collected and compiled). This is because the Act only protects works created by a human author and many databases lack such an author.

Database right

Some jurisdictions provide for specific protection in relation to databases beyond that which might be conferred by copyright.

EU and the UK

In the EU and the UK (which has in the past implemented EU law) there is a specific “database right” for databases that fall within the (narrow) definition within the Database Directive: being “a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means.”

The EU database right does not apply to unstructured datasets; and even some structured datasets may not fall within the definition. Most datasets used in the digital economy are in the form of unstructured datasets.


A database may attract the EU database right protection if there has been qualitatively and / or quantitatively a substantial investment in either the obtaining, verification or presentation of the contents. Investment made to create / generate data is irrelevant in this regard.4

It may not be easy to claim the EU database right in relation to some machine-generated datasets, if they are simply created data, rather than data comprised of observed facts.5 Unlike other intellectual property rights, the existence of an EU database right depends on the amount of investment (not necessarily financial) put into establishing the database.

The EU database right is an unregistered right and gives the right-holder the right to prevent unauthorized copying and publication of qualitatively and / or quantitatively substantial parts of a database (meaning that third parties may copy / publish insubstantial parts of it). Mere consultation of a database does not, by itself, constitute an infringement of the database right.

The right-holder needs to be based in Europe (or the UK, in relation to UK database rights - which are to apply for databases created after the end of the UK’s EU membership transition period).

A new Data Act is proposed by the EU Commission to revise the suitability of current laws related to rights in databases.


There is no specific legislation in Australia that provides for a “database right.”

United States

Although the US may permit copyright registration or a creative selection or arrangement of data, there is no separate database right.

Trade secrets / law of confidentiality

In common law jurisdictions the law of confidentiality (or trade secrets law, as it is sometimes known) provides a right to prevent use or disclosure of confidential information / trade secrets. That can include data that has the requisite degree of confidentiality. Some jurisdictions include additional statutory rights in relation to trade secrets.

EU and the UK

In the EU and the UK, for example, under the Trade Secrets Directive:

  • Any information that has commercial value and which is “secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible” can be protected as a trade secret.
  • Where exploitation of the data extends beyond use for internal purposes to on-selling to third parties, it may be more difficult to demonstrate that such information is in fact confidential. For example, it may be difficult to satisfy a court that a dataset is truly confidential if any third party can obtain access to that information provided that it pays a fee to the "owner" of the information.
  • A trade secret holder will be expected to have taken appropriate measures to keep it a secret. In such circumstance, a claim for damages and / or an injunction may be made if there has been any unlawful access to the information or if access has been given on terms (such as for a specific use) but the recipient of that information has misused that information. This is not always easy to prove, and often results in the trade secret holder facing a dilemma because legal proceedings may well involve the disclosure of the secret information (which is claimed to be misused) to the wrongdoer.


Widened trade secret rights within the EU

The implementation of EU Trade Secrets Directive has reinforced the right of trade secret holders in the EU and the UK by providing that:

  • The dealing in goods which significantly benefits from misappropriated trade secrets is unlawful, where the dealer knew or ought to have known that the trade secret was being used unlawfully.
  • The trade secret holder may have redress against those dealing in such goods, even if there is no nexus with the person dealing in such goods (although an explanation may need to be given to the dealer as to why the goods it is dealing in have significantly benefited from misappropriated trade secrets).


Rights in trade secrets under EU law and the law of confidentiality at common law are unregistered rights and give the right-holder the right to prevent misappropriation of trade secrets. This does not include reverse engineering unless there is a relevant contractual measure preventing this (which may or may not be valid, depending on the law applicable).

A new Data Act is proposed by the EU Commission to revise suitability of current laws related to trade secrets covering data.

United States

In 2016 the US enacted a federal trade secrets law, the Defend Trade Secrets Act (DTSA). DTSA’s definition of trade secret is “all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.”6

The DTSA does not pre-empt state trade secret laws, and injunctions under the DTSA may not conflict with state law prohibiting restraints on the practice of a lawful profession, trade or business.


Trade secrets are protected mainly under the PRC Anti-Unfair Competition Law, under which:

  • Trade secrets refer to “any technical information, operational information or commercial information which is not known to the public and has commercial value, and for which its owner has adopted measures to ensure its confidentiality.”
  • A claim for infringement can be made if any trade secret is found not easily to be unlawfully accessed, used or disclosed.
  • If litigation is instituted (with a Chinese court or an arbitration body), a trade secrets owner may find itself needing to disclose the secret information to the wrongdoer. Court proceedings in China are open to the public unless the parties specifically apply for private hearings.
  • Serious infringement may cause criminal liabilities under the PRC Criminal Law.


In Australia trade secrets are generally considered to be included as part of an organization’s confidential information. Similar to the EU law, these are unregistered rights which could be enforced under the common law rules of confidentiality.

The importance of confidentiality to trade and commerce is supported by various items of legislation. For example, the Freedom of Information Act 1982 (Cth) (which provides a mechanism for the access to certain information held by the Australian government) reinforces the rights of trade secret holders by providing that a document may be exempt from disclosure if its disclosure would disclose trade secrets.



Where the right-holder is minded to give access to the information to certain parties, non-disclosure agreements are often entered into, giving the right-holder contractual rights as against the recipient of the information to access and use it in a certain way, and would usually include a term that the recipient should keep the information confidential.

For more information on contractual issues in relation to sharing data, see Contractual Considerations in Sharing Data.


Contractual rights

It is apparent from the foregoing that only limited types of data / datasets are capable of protection by intellectual property rights (and even less so in the case of property rights in general), and then only by a limited number of intellectual property rights in very specific circumstances.

For this reason, many businesses will wish to avoid such inherent uncertainties, and instead may place reliance on contractual controls. Contractual controls:

  • Can protect all forms of data, regardless of whether intellectual property rights or property rights in general subsist in them.7
  • Are therefore the main means to maintain and assert control over data.

Contract is used to license use of datasets even though intellectual property rights may not in fact subsist in them. Contractual licensing terms:

  • May extend to publicly available data, such as that on non-password-protected websites (which themselves may have their own terms and conditions).
  • Can bring flexibility for data-holders, enabling them to share their data assets on specific terms. For example, a data-holder may allow: (1) access to data / datasets, but not their copying; (2) use for specific purposes only; (3) access / use of data asset for a specified duration.


Loss of control?

In contracts providing for flows of data, it will be necessary to ensure that the “Consequences of Termination” clause in the contract or license provides for what happens on termination to the data, and any derived data based on the transferred data.

If data is shared, even on strict contract terms, there is a risk of permanent loss of control for the following reasons:

  • There is no guarantee that the data / datasets subject to the contract would be deleted following termination of the contract (if such a term is included in the contract).
  • There is no guarantee that the receiving party will use the data / dataset in accordance with the terms of the contract, and breach of a non-disclosure agreement is difficult to detect, particularly where lawful access has been given to the receiving party.
  • Any unlawful disclosure of the data / datasets by the receiving party is likely to be difficult to reverse.
  • If the receiving party had lawfully used the data / dataset during the term of the contract to create new goods or to generate new data or systems (such as AI), then the data / dataset subject to the contract may remain within those derived data even after the contractual relationship is terminated. 


A well-drafted contract is generally easier to enforce compared with intellectual property rights because the data / datasets subject to the contract are more clearly defined. However, unlike intellectual property rights, contractual rights can only be asserted against parties to the contract.

Where information is made publicly available (for example, on the web), it would be prudent to implement measures requiring the user to accept the terms and conditions of the website before the user is allowed to access its contents. The enforceability of browser-wrap agreements have not yet generally been tested in most jurisdictions, and because the user is not requested to positively affirm the terms and conditions, data holders may find it difficult to enforce them.

Website owners could also implement the Robots Exclusion Protocol, which provides that webcrawling is not authorized, or copyprotect, making it difficult for users to copy and paste contents.


1   Cofemel-Sociedade de Vesturário SA v G-Star Raw CV (Case C-683/17).

2   Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 360 (1991) states that “the copyright in a compilation does not extend to the facts it contains.”

3   Compendium of U.S. Copyright Office Practices, § 508.2 (Third Edition (2017)).

4   British Horseracing Board Ltd v William Hill Organisation Ltd (C-203/02): the aim of the sui generis database right is to safeguard the results of the financial and professional investment made in “obtaining and collection [of] the contents” of a database, in accordance with recital 39.

5   Football Dataco & Others v Stan James Plc & Others and Sportradar GmbH & Others, [2013] EWCA Civ 27.

6   18 USC § 1839(3).

7   Ryanair Ltd v PR Aviation BV, Case C-30/14.